Phase 1 being up confirms the two FortiGate devices can authenticate and build the IKE SA. Phase 2 failing indicates the IPsec (Quick Mode) SA negotiation is failing due to mismatched Phase 2 parameters.
From the exhibit, the Phase 2 mismatches that would prevent SA establishment are:
1) Phase 2 selectors must mirror each other (Proxy IDs)
HQ-NGFW Phase 2 selector shows:
Local: 10.0.11.0/24
Remote: 172.20.1.0/24
BR1-FGT Phase 2 selector shows:
In FortiOS, Phase 2 comes up only when the peers’ selectors (proxy IDs) match as opposite pairs (local on one side = remote on the other).
✅ Fix: A. On BR1-FGT, set Remote Address to 10.0.11.0/255.255.255.0.
2) Phase 2 proposal must match (encryption/authentication)
HQ-NGFW shows encryption AES128 (with SHA1)
BR1-FGT shows encryption AES256 (with SHA1)
For Phase 2 to establish, both peers must have at least one common proposal (same encryption and authentication settings). With one side set to AES128 and the other to AES256, there is no match.
✅ Fix: D. On HQ-NGFW, set Encryption to AES256.
Why the other options are not correct
B. Enable Diffie-Hellman Group 2: The exhibit’s mismatch is not resolved by adding DH group 2, and DH group must match when PFS is enabled. This option does not align the peers based on what’s shown.
C. Set Seconds to 43200: Phase 2 lifetime mismatches typically do not prevent Phase 2 from coming up (the negotiated lifetime can be adjusted by the peers). The hard blockers here are the selectors and proposal mismatch.
Submit